From: Greg Kroah-Hartman Date: Thu, 4 Dec 2014 23:56:46 +0000 (-0800) Subject: 3.10-stable patches X-Git-Tag: v3.10.62~15 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=27a00481fcccf5814b1c41c6b6f8cde114fbdd5e;p=thirdparty%2Fkernel%2Fstable-queue.git 3.10-stable patches added patches: arm-8216-1-xscale-correct-auxiliary-register-in-suspend-resume.patch arm-8222-1-mvebu-enable-strex-backoff-delay.patch bnx2fc-do-not-add-shared-skbs-to-the-fcoe_rx_list.patch can-dev-avoid-calling-kfree_skb-from-interrupt-context.patch input-xpad-use-proper-endpoint-type.patch iser-target-handle-device_removal-event-on-network-portal-listener-correctly.patch nfsd-fix-slot-wake-up-race-in-the-nfsv4.1-callback-code.patch nfsd4-fix-leak-of-inode-reference-on-delegation-failure.patch rt2x00-do-not-align-payload-on-modern-h-w.patch spi-dw-fix-dynamic-speed-change.patch srp-target-retry-when-qp-creation-fails-with-enomem.patch target-don-t-call-tfo-write_pending-if-data_length-0.patch --- diff --git a/queue-3.10/arm-8216-1-xscale-correct-auxiliary-register-in-suspend-resume.patch b/queue-3.10/arm-8216-1-xscale-correct-auxiliary-register-in-suspend-resume.patch new file mode 100644 index 00000000000..bbb98042362 --- /dev/null +++ b/queue-3.10/arm-8216-1-xscale-correct-auxiliary-register-in-suspend-resume.patch @@ -0,0 +1,51 @@ +From ef59a20ba375aeb97b3150a118318884743452a8 Mon Sep 17 00:00:00 2001 +From: Dmitry Eremin-Solenikov +Date: Fri, 21 Nov 2014 15:29:00 +0100 +Subject: ARM: 8216/1: xscale: correct auxiliary register in suspend/resume + +From: Dmitry Eremin-Solenikov + +commit ef59a20ba375aeb97b3150a118318884743452a8 upstream. + +According to the manuals I have, XScale auxiliary register should be +reached with opc_2 = 1 instead of crn = 1. cpu_xscale_proc_init +correctly uses c1, c0, 1 arguments, but cpu_xscale_do_suspend and +cpu_xscale_do_resume use c1, c1, 0. Correct suspend/resume functions to +also use c1, c0, 1. + +The issue was primarily noticed thanks to qemu reporing "unsupported +instruction" on the pxa suspend path. Confirmed in PXA210/250 and PXA255 +XScale Core manuals and in PXA270 and PXA320 Developers Guides. + +Harware tested by me on tosa (pxa255). Robert confirmed on pxa270 board. + +Tested-by: Robert Jarzmik +Signed-off-by: Dmitry Eremin-Solenikov +Acked-by: Robert Jarzmik +Signed-off-by: Russell King +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arm/mm/proc-xscale.S | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/arch/arm/mm/proc-xscale.S ++++ b/arch/arm/mm/proc-xscale.S +@@ -535,7 +535,7 @@ ENTRY(cpu_xscale_do_suspend) + mrc p15, 0, r5, c15, c1, 0 @ CP access reg + mrc p15, 0, r6, c13, c0, 0 @ PID + mrc p15, 0, r7, c3, c0, 0 @ domain ID +- mrc p15, 0, r8, c1, c1, 0 @ auxiliary control reg ++ mrc p15, 0, r8, c1, c0, 1 @ auxiliary control reg + mrc p15, 0, r9, c1, c0, 0 @ control reg + bic r4, r4, #2 @ clear frequency change bit + stmia r0, {r4 - r9} @ store cp regs +@@ -552,7 +552,7 @@ ENTRY(cpu_xscale_do_resume) + mcr p15, 0, r6, c13, c0, 0 @ PID + mcr p15, 0, r7, c3, c0, 0 @ domain ID + mcr p15, 0, r1, c2, c0, 0 @ translation table base addr +- mcr p15, 0, r8, c1, c1, 0 @ auxiliary control reg ++ mcr p15, 0, r8, c1, c0, 1 @ auxiliary control reg + mov r0, r9 @ control register + b cpu_resume_mmu + ENDPROC(cpu_xscale_do_resume) diff --git a/queue-3.10/arm-8222-1-mvebu-enable-strex-backoff-delay.patch b/queue-3.10/arm-8222-1-mvebu-enable-strex-backoff-delay.patch new file mode 100644 index 00000000000..dfac329d5f1 --- /dev/null +++ b/queue-3.10/arm-8222-1-mvebu-enable-strex-backoff-delay.patch @@ -0,0 +1,55 @@ +From 995ab5189d1d7264e79e665dfa032a19b3ac646e Mon Sep 17 00:00:00 2001 +From: Thomas Petazzoni +Date: Tue, 25 Nov 2014 18:43:15 +0100 +Subject: ARM: 8222/1: mvebu: enable strex backoff delay + +From: Thomas Petazzoni + +commit 995ab5189d1d7264e79e665dfa032a19b3ac646e upstream. + +Under extremely rare conditions, in an MPCore node consisting of at +least 3 CPUs, two CPUs trying to perform a STREX to data on the same +shared cache line can enter a livelock situation. + +This patch enables the HW mechanism that overcomes the bug. This fixes +the incorrect setup of the STREX backoff delay bit due to a wrong +description in the specification. + +Note that enabling the STREX backoff delay mechanism is done by +leaving the bit *cleared*, while the bit was currently being set by +the proc-v7.S code. + +[Thomas: adapt to latest mainline, slightly reword the commit log, add +stable markers.] + +Fixes: de4901933f6d ("arm: mm: Add support for PJ4B cpu and init routines") + +Signed-off-by: Nadav Haklai +Signed-off-by: Thomas Petazzoni +Acked-by: Gregory CLEMENT +Acked-by: Jason Cooper +Signed-off-by: Russell King +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arm/mm/proc-v7.S | 2 -- + 1 file changed, 2 deletions(-) + +--- a/arch/arm/mm/proc-v7.S ++++ b/arch/arm/mm/proc-v7.S +@@ -201,7 +201,6 @@ __v7_pj4b_setup: + /* Auxiliary Debug Modes Control 1 Register */ + #define PJ4B_STATIC_BP (1 << 2) /* Enable Static BP */ + #define PJ4B_INTER_PARITY (1 << 8) /* Disable Internal Parity Handling */ +-#define PJ4B_BCK_OFF_STREX (1 << 5) /* Enable the back off of STREX instr */ + #define PJ4B_CLEAN_LINE (1 << 16) /* Disable data transfer for clean line */ + + /* Auxiliary Debug Modes Control 2 Register */ +@@ -224,7 +223,6 @@ __v7_pj4b_setup: + /* Auxiliary Debug Modes Control 1 Register */ + mrc p15, 1, r0, c15, c1, 1 + orr r0, r0, #PJ4B_CLEAN_LINE +- orr r0, r0, #PJ4B_BCK_OFF_STREX + orr r0, r0, #PJ4B_INTER_PARITY + bic r0, r0, #PJ4B_STATIC_BP + mcr p15, 1, r0, c15, c1, 1 diff --git a/queue-3.10/bnx2fc-do-not-add-shared-skbs-to-the-fcoe_rx_list.patch b/queue-3.10/bnx2fc-do-not-add-shared-skbs-to-the-fcoe_rx_list.patch new file mode 100644 index 00000000000..83d9046a4c5 --- /dev/null +++ b/queue-3.10/bnx2fc-do-not-add-shared-skbs-to-the-fcoe_rx_list.patch @@ -0,0 +1,72 @@ +From 01a4cc4d0cd6a836c7b923760e8eb1cbb6a47258 Mon Sep 17 00:00:00 2001 +From: Maurizio Lombardi +Date: Thu, 20 Nov 2014 11:17:33 +0100 +Subject: bnx2fc: do not add shared skbs to the fcoe_rx_list + +From: Maurizio Lombardi + +commit 01a4cc4d0cd6a836c7b923760e8eb1cbb6a47258 upstream. + +In some cases, the fcoe_rx_list may contains multiple instances +of the same skb (the so called "shared skbs"). + +the bnx2fc_l2_rcv thread is a loop that extracts a skb from the list, +modifies (and destroys) its content and then proceed to the next one. +The problem is that if the skb is shared, the remaining instances will +be corrupted. + +The solution is to use skb_share_check() before adding the skb to the +fcoe_rx_list. + +[ 6286.808725] ------------[ cut here ]------------ +[ 6286.808729] WARNING: at include/scsi/fc_frame.h:173 bnx2fc_l2_rcv_thread+0x425/0x450 [bnx2fc]() +[ 6286.808748] Modules linked in: bnx2x(-) mdio dm_service_time bnx2fc cnic uio fcoe libfcoe 8021q garp stp mrp libfc llc scsi_transport_fc scsi_tgt sg iTCO_wdt iTCO_vendor_support coretemp kvm_intel kvm crct10dif_pclmul crc32_pclmul crc32c_intel e1000e ghash_clmulni_intel aesni_intel lrw gf128mul glue_helper ablk_helper ptp cryptd hpilo serio_raw hpwdt lpc_ich pps_core ipmi_si pcspkr mfd_core ipmi_msghandler shpchp pcc_cpufreq mperf nfsd auth_rpcgss nfs_acl lockd sunrpc dm_multipath xfs libcrc32c ata_generic pata_acpi sd_mod crc_t10dif crct10dif_common mgag200 syscopyarea sysfillrect sysimgblt i2c_algo_bit ata_piix drm_kms_helper ttm drm libata i2c_core hpsa dm_mirror dm_region_hash dm_log dm_mod [last unloaded: mdio] +[ 6286.808750] CPU: 3 PID: 1304 Comm: bnx2fc_l2_threa Not tainted 3.10.0-121.el7.x86_64 #1 +[ 6286.808750] Hardware name: HP ProLiant DL120 G7, BIOS J01 07/01/2013 +[ 6286.808752] 0000000000000000 000000000b36e715 ffff8800deba1e00 ffffffff815ec0ba +[ 6286.808753] ffff8800deba1e38 ffffffff8105dee1 ffffffffa05618c0 ffff8801e4c81888 +[ 6286.808754] ffffe8ffff663868 ffff8801f402b180 ffff8801f56bc000 ffff8800deba1e48 +[ 6286.808754] Call Trace: +[ 6286.808759] [] dump_stack+0x19/0x1b +[ 6286.808762] [] warn_slowpath_common+0x61/0x80 +[ 6286.808763] [] warn_slowpath_null+0x1a/0x20 +[ 6286.808765] [] bnx2fc_l2_rcv_thread+0x425/0x450 [bnx2fc] +[ 6286.808767] [] ? bnx2fc_disable+0x90/0x90 [bnx2fc] +[ 6286.808769] [] kthread+0xcf/0xe0 +[ 6286.808770] [] ? kthread_create_on_node+0x140/0x140 +[ 6286.808772] [] ret_from_fork+0x7c/0xb0 +[ 6286.808773] [] ? kthread_create_on_node+0x140/0x140 +[ 6286.808774] ---[ end trace c6cdb939184ccb4e ]--- + +Signed-off-by: Maurizio Lombardi +Acked-by: Chad Dupuis +Signed-off-by: Christoph Hellwig +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/scsi/bnx2fc/bnx2fc_fcoe.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +--- a/drivers/scsi/bnx2fc/bnx2fc_fcoe.c ++++ b/drivers/scsi/bnx2fc/bnx2fc_fcoe.c +@@ -411,6 +411,7 @@ static int bnx2fc_rcv(struct sk_buff *sk + struct fc_frame_header *fh; + struct fcoe_rcv_info *fr; + struct fcoe_percpu_s *bg; ++ struct sk_buff *tmp_skb; + unsigned short oxid; + + interface = container_of(ptype, struct bnx2fc_interface, +@@ -423,6 +424,12 @@ static int bnx2fc_rcv(struct sk_buff *sk + goto err; + } + ++ tmp_skb = skb_share_check(skb, GFP_ATOMIC); ++ if (!tmp_skb) ++ goto err; ++ ++ skb = tmp_skb; ++ + if (unlikely(eth_hdr(skb)->h_proto != htons(ETH_P_FCOE))) { + printk(KERN_ERR PFX "bnx2fc_rcv: Wrong FC type frame\n"); + goto err; diff --git a/queue-3.10/can-dev-avoid-calling-kfree_skb-from-interrupt-context.patch b/queue-3.10/can-dev-avoid-calling-kfree_skb-from-interrupt-context.patch new file mode 100644 index 00000000000..6728a2144bd --- /dev/null +++ b/queue-3.10/can-dev-avoid-calling-kfree_skb-from-interrupt-context.patch @@ -0,0 +1,72 @@ +From 5247a589c24022ab34e780039cc8000c48f2035e Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Thomas=20K=C3=B6rper?= +Date: Fri, 31 Oct 2014 07:33:54 +0100 +Subject: can: dev: avoid calling kfree_skb() from interrupt context +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: =?UTF-8?q?Thomas=20K=C3=B6rper?= + +commit 5247a589c24022ab34e780039cc8000c48f2035e upstream. + +ikfree_skb() is Called in can_free_echo_skb(), which might be called from (TX +Error) interrupt, which triggers the folloing warning: + +[ 1153.360705] ------------[ cut here ]------------ +[ 1153.360715] WARNING: CPU: 0 PID: 31 at net/core/skbuff.c:563 skb_release_head_state+0xb9/0xd0() +[ 1153.360772] Call Trace: +[ 1153.360778] [] dump_stack+0x41/0x52 +[ 1153.360782] [] warn_slowpath_common+0x7e/0xa0 +[ 1153.360784] [] ? skb_release_head_state+0xb9/0xd0 +[ 1153.360786] [] ? skb_release_head_state+0xb9/0xd0 +[ 1153.360788] [] warn_slowpath_null+0x22/0x30 +[ 1153.360791] [] skb_release_head_state+0xb9/0xd0 +[ 1153.360793] [] skb_release_all+0x10/0x30 +[ 1153.360795] [] kfree_skb+0x36/0x80 +[ 1153.360799] [] ? can_free_echo_skb+0x28/0x40 [can_dev] +[ 1153.360802] [] can_free_echo_skb+0x28/0x40 [can_dev] +[ 1153.360805] [] esd_pci402_interrupt+0x34c/0x57a [esd402] +[ 1153.360809] [] handle_irq_event_percpu+0x35/0x180 +[ 1153.360811] [] ? handle_irq_event_percpu+0xa3/0x180 +[ 1153.360813] [] handle_irq_event+0x31/0x50 +[ 1153.360816] [] handle_fasteoi_irq+0x6f/0x120 +[ 1153.360818] [] ? handle_edge_irq+0x110/0x110 +[ 1153.360822] [] handle_irq+0x71/0x90 +[ 1153.360823] [] do_IRQ+0x3c/0xd0 +[ 1153.360829] [] common_interrupt+0x2c/0x34 +[ 1153.360834] [] ? finish_task_switch+0x47/0xf0 +[ 1153.360836] [] __schedule+0x35b/0x7e0 +[ 1153.360839] [] ? console_unlock+0x2c4/0x4d0 +[ 1153.360842] [] ? n_tty_receive_buf_common+0x890/0x890 +[ 1153.360845] [] ? process_one_work+0x196/0x370 +[ 1153.360847] [] schedule+0x23/0x60 +[ 1153.360849] [] worker_thread+0x161/0x460 +[ 1153.360852] [] ? __wake_up_locked+0x1f/0x30 +[ 1153.360854] [] ? rescuer_thread+0x2f0/0x2f0 +[ 1153.360856] [] kthread+0xa1/0xc0 +[ 1153.360859] [] ret_from_kernel_thread+0x21/0x30 +[ 1153.360861] [] ? kthread_create_on_node+0x110/0x110 +[ 1153.360863] ---[ end trace 5ff83639cbb74b35 ]--- + +This patch replaces the kfree_skb() by dev_kfree_skb_any(). + +Signed-off-by: Thomas Körper +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/can/dev.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/can/dev.c ++++ b/drivers/net/can/dev.c +@@ -385,7 +385,7 @@ void can_free_echo_skb(struct net_device + BUG_ON(idx >= priv->echo_skb_max); + + if (priv->echo_skb[idx]) { +- kfree_skb(priv->echo_skb[idx]); ++ dev_kfree_skb_any(priv->echo_skb[idx]); + priv->echo_skb[idx] = NULL; + } + } diff --git a/queue-3.10/input-xpad-use-proper-endpoint-type.patch b/queue-3.10/input-xpad-use-proper-endpoint-type.patch new file mode 100644 index 00000000000..68d10441421 --- /dev/null +++ b/queue-3.10/input-xpad-use-proper-endpoint-type.patch @@ -0,0 +1,50 @@ +From a1f9a4072655843fc03186acbad65990cc05dd2d Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman +Date: Tue, 25 Nov 2014 00:38:17 -0800 +Subject: Input: xpad - use proper endpoint type + +From: Greg Kroah-Hartman + +commit a1f9a4072655843fc03186acbad65990cc05dd2d upstream. + +The xpad wireless endpoint is not a bulk endpoint on my devices, but +rather an interrupt one, so the USB core complains when it is submitted. +I'm guessing that the author really did mean that this should be an +interrupt urb, but as there are a zillion different xpad devices out +there, let's cover out bases and handle both bulk and interrupt +endpoints just as easily. + +Signed-off-by: "Pierre-Loup A. Griffais" +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Dmitry Torokhov +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/input/joystick/xpad.c | 16 +++++++++++++--- + 1 file changed, 13 insertions(+), 3 deletions(-) + +--- a/drivers/input/joystick/xpad.c ++++ b/drivers/input/joystick/xpad.c +@@ -1002,9 +1002,19 @@ static int xpad_probe(struct usb_interfa + } + + ep_irq_in = &intf->cur_altsetting->endpoint[1].desc; +- usb_fill_bulk_urb(xpad->bulk_out, udev, +- usb_sndbulkpipe(udev, ep_irq_in->bEndpointAddress), +- xpad->bdata, XPAD_PKT_LEN, xpad_bulk_out, xpad); ++ if (usb_endpoint_is_bulk_out(ep_irq_in)) { ++ usb_fill_bulk_urb(xpad->bulk_out, udev, ++ usb_sndbulkpipe(udev, ++ ep_irq_in->bEndpointAddress), ++ xpad->bdata, XPAD_PKT_LEN, ++ xpad_bulk_out, xpad); ++ } else { ++ usb_fill_int_urb(xpad->bulk_out, udev, ++ usb_sndintpipe(udev, ++ ep_irq_in->bEndpointAddress), ++ xpad->bdata, XPAD_PKT_LEN, ++ xpad_bulk_out, xpad, 0); ++ } + + /* + * Submit the int URB immediately rather than waiting for open diff --git a/queue-3.10/iser-target-handle-device_removal-event-on-network-portal-listener-correctly.patch b/queue-3.10/iser-target-handle-device_removal-event-on-network-portal-listener-correctly.patch new file mode 100644 index 00000000000..b6c61841258 --- /dev/null +++ b/queue-3.10/iser-target-handle-device_removal-event-on-network-portal-listener-correctly.patch @@ -0,0 +1,96 @@ +From 3b726ae2de02a406cc91903f80132daee37b6f1b Mon Sep 17 00:00:00 2001 +From: Sagi Grimberg +Date: Tue, 28 Oct 2014 13:45:03 -0700 +Subject: iser-target: Handle DEVICE_REMOVAL event on network portal listener correctly + +From: Sagi Grimberg + +commit 3b726ae2de02a406cc91903f80132daee37b6f1b upstream. + +In this case the cm_id->context is the isert_np, and the cm_id->qp +is NULL, so use that to distinct the cases. + +Since we don't expect any other events on this cm_id we can +just return -1 for explicit termination of the cm_id by the +cma layer. + +Signed-off-by: Sagi Grimberg +Signed-off-by: Nicholas Bellinger +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/infiniband/ulp/isert/ib_isert.c | 29 +++++++++++++++++++---------- + 1 file changed, 19 insertions(+), 10 deletions(-) + +--- a/drivers/infiniband/ulp/isert/ib_isert.c ++++ b/drivers/infiniband/ulp/isert/ib_isert.c +@@ -585,14 +585,25 @@ wake_up: + complete(&isert_conn->conn_wait); + } + +-static void ++static int + isert_disconnected_handler(struct rdma_cm_id *cma_id, bool disconnect) + { +- struct isert_conn *isert_conn = (struct isert_conn *)cma_id->context; ++ struct isert_conn *isert_conn; ++ ++ if (!cma_id->qp) { ++ struct isert_np *isert_np = cma_id->context; ++ ++ isert_np->np_cm_id = NULL; ++ return -1; ++ } ++ ++ isert_conn = (struct isert_conn *)cma_id->context; + + isert_conn->disconnect = disconnect; + INIT_WORK(&isert_conn->conn_logout_work, isert_disconnect_work); + schedule_work(&isert_conn->conn_logout_work); ++ ++ return 0; + } + + static int +@@ -607,6 +618,9 @@ isert_cma_handler(struct rdma_cm_id *cma + switch (event->event) { + case RDMA_CM_EVENT_CONNECT_REQUEST: + ret = isert_connect_request(cma_id, event); ++ if (ret) ++ pr_err("isert_cma_handler failed RDMA_CM_EVENT: 0x%08x %d\n", ++ event->event, ret); + break; + case RDMA_CM_EVENT_ESTABLISHED: + isert_connected_handler(cma_id); +@@ -616,7 +630,7 @@ isert_cma_handler(struct rdma_cm_id *cma + case RDMA_CM_EVENT_DEVICE_REMOVAL: /* FALLTHRU */ + disconnect = true; + case RDMA_CM_EVENT_TIMEWAIT_EXIT: /* FALLTHRU */ +- isert_disconnected_handler(cma_id, disconnect); ++ ret = isert_disconnected_handler(cma_id, disconnect); + break; + case RDMA_CM_EVENT_CONNECT_ERROR: + default: +@@ -624,12 +638,6 @@ isert_cma_handler(struct rdma_cm_id *cma + break; + } + +- if (ret != 0) { +- pr_err("isert_cma_handler failed RDMA_CM_EVENT: 0x%08x %d\n", +- event->event, ret); +- dump_stack(); +- } +- + return ret; + } + +@@ -2233,7 +2241,8 @@ isert_free_np(struct iscsi_np *np) + { + struct isert_np *isert_np = (struct isert_np *)np->np_context; + +- rdma_destroy_id(isert_np->np_cm_id); ++ if (isert_np->np_cm_id) ++ rdma_destroy_id(isert_np->np_cm_id); + + np->np_context = NULL; + kfree(isert_np); diff --git a/queue-3.10/nfsd-fix-slot-wake-up-race-in-the-nfsv4.1-callback-code.patch b/queue-3.10/nfsd-fix-slot-wake-up-race-in-the-nfsv4.1-callback-code.patch new file mode 100644 index 00000000000..bdecf30f204 --- /dev/null +++ b/queue-3.10/nfsd-fix-slot-wake-up-race-in-the-nfsv4.1-callback-code.patch @@ -0,0 +1,50 @@ +From c6c15e1ed303ffc47e696ea1c9a9df1761c1f603 Mon Sep 17 00:00:00 2001 +From: Trond Myklebust +Date: Wed, 19 Nov 2014 12:47:50 -0500 +Subject: nfsd: Fix slot wake up race in the nfsv4.1 callback code + +From: Trond Myklebust + +commit c6c15e1ed303ffc47e696ea1c9a9df1761c1f603 upstream. + +The currect code for nfsd41_cb_get_slot() and nfsd4_cb_done() has no +locking in order to guarantee atomicity, and so allows for races of +the form. + +Task 1 Task 2 +====== ====== +if (test_and_set_bit(0) != 0) { + clear_bit(0) + rpc_wake_up_next(queue) + rpc_sleep_on(queue) + return false; +} + +This patch breaks the race condition by adding a retest of the bit +after the call to rpc_sleep_on(). + +Signed-off-by: Trond Myklebust +Signed-off-by: J. Bruce Fields +Signed-off-by: Greg Kroah-Hartman + +--- + fs/nfsd/nfs4callback.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +--- a/fs/nfsd/nfs4callback.c ++++ b/fs/nfsd/nfs4callback.c +@@ -784,8 +784,12 @@ static bool nfsd41_cb_get_slot(struct nf + { + if (test_and_set_bit(0, &clp->cl_cb_slot_busy) != 0) { + rpc_sleep_on(&clp->cl_cb_waitq, task, NULL); +- dprintk("%s slot is busy\n", __func__); +- return false; ++ /* Race breaker */ ++ if (test_and_set_bit(0, &clp->cl_cb_slot_busy) != 0) { ++ dprintk("%s slot is busy\n", __func__); ++ return false; ++ } ++ rpc_wake_up_queued_task(&clp->cl_cb_waitq, task); + } + return true; + } diff --git a/queue-3.10/nfsd4-fix-leak-of-inode-reference-on-delegation-failure.patch b/queue-3.10/nfsd4-fix-leak-of-inode-reference-on-delegation-failure.patch new file mode 100644 index 00000000000..1960c587a2b --- /dev/null +++ b/queue-3.10/nfsd4-fix-leak-of-inode-reference-on-delegation-failure.patch @@ -0,0 +1,122 @@ +From bf7bd3e98be5c74813bee6ad496139fb0a011b3b Mon Sep 17 00:00:00 2001 +From: "J. Bruce Fields" +Date: Thu, 15 Aug 2013 16:55:26 -0400 +Subject: nfsd4: fix leak of inode reference on delegation failure +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: "J. Bruce Fields" + +commit bf7bd3e98be5c74813bee6ad496139fb0a011b3b upstream. + +This fixes a regression from 68a3396178e6688ad7367202cdf0af8ed03c8727 +"nfsd4: shut down more of delegation earlier". + +After that commit, nfs4_set_delegation() failures result in +nfs4_put_delegation being called, but nfs4_put_delegation doesn't free +the nfs4_file that has already been set by alloc_init_deleg(). + +This can result in an oops on later unmounting the exported filesystem. + +Note also delaying the fi_had_conflict check we're able to return a +better error (hence give 4.1 clients a better idea why the delegation +failed; though note CONFLICT isn't an exact match here, as that's +supposed to indicate a current conflict, but all we know here is that +there was one recently). + +Reported-by: Toralf Förster +Tested-by: Toralf Förster +Signed-off-by: J. Bruce Fields +[tuomasjjrasanen: backported to 3.10 + Conflicts fs/nfsd/nfs4state.c: + Delegation type flags have been removed from upstream code. In 3.10-series, + they still exists and therefore the commit caused few conflicts in function + signatures. +] +Signed-off-by: Tuomas Räsänen +Signed-off-by: Greg Kroah-Hartman + +--- + fs/nfsd/nfs4state.c | 31 ++++++++++++++++++++----------- + 1 file changed, 20 insertions(+), 11 deletions(-) + +--- a/fs/nfsd/nfs4state.c ++++ b/fs/nfsd/nfs4state.c +@@ -367,7 +367,6 @@ static struct nfs4_delegation * + alloc_init_deleg(struct nfs4_client *clp, struct nfs4_ol_stateid *stp, struct svc_fh *current_fh, u32 type) + { + struct nfs4_delegation *dp; +- struct nfs4_file *fp = stp->st_file; + + dprintk("NFSD alloc_init_deleg\n"); + /* +@@ -377,8 +376,6 @@ alloc_init_deleg(struct nfs4_client *clp + */ + if (type != NFS4_OPEN_DELEGATE_READ) + return NULL; +- if (fp->fi_had_conflict) +- return NULL; + if (num_delegations > max_delegations) + return NULL; + dp = delegstateid(nfs4_alloc_stid(clp, deleg_slab)); +@@ -395,8 +392,7 @@ alloc_init_deleg(struct nfs4_client *clp + INIT_LIST_HEAD(&dp->dl_perfile); + INIT_LIST_HEAD(&dp->dl_perclnt); + INIT_LIST_HEAD(&dp->dl_recall_lru); +- get_nfs4_file(fp); +- dp->dl_file = fp; ++ dp->dl_file = NULL; + dp->dl_type = type; + fh_copy_shallow(&dp->dl_fh, ¤t_fh->fh_handle); + dp->dl_time = 0; +@@ -2965,22 +2961,35 @@ static int nfs4_setlease(struct nfs4_del + return 0; + } + +-static int nfs4_set_delegation(struct nfs4_delegation *dp, int flag) ++static int nfs4_set_delegation(struct nfs4_delegation *dp, int flag, struct nfs4_file *fp) + { +- struct nfs4_file *fp = dp->dl_file; ++ int status; + +- if (!fp->fi_lease) +- return nfs4_setlease(dp, flag); ++ if (fp->fi_had_conflict) ++ return -EAGAIN; ++ get_nfs4_file(fp); ++ dp->dl_file = fp; ++ if (!fp->fi_lease) { ++ status = nfs4_setlease(dp, flag); ++ if (status) ++ goto out_free; ++ return 0; ++ } + spin_lock(&recall_lock); + if (fp->fi_had_conflict) { + spin_unlock(&recall_lock); +- return -EAGAIN; ++ status = -EAGAIN; ++ goto out_free; + } + atomic_inc(&fp->fi_delegees); + list_add(&dp->dl_perfile, &fp->fi_delegations); + spin_unlock(&recall_lock); + list_add(&dp->dl_perclnt, &dp->dl_stid.sc_client->cl_delegations); + return 0; ++out_free: ++ put_nfs4_file(fp); ++ dp->dl_file = fp; ++ return status; + } + + static void nfsd4_open_deleg_none_ext(struct nfsd4_open *open, int status) +@@ -3046,7 +3055,7 @@ nfs4_open_delegation(struct net *net, st + dp = alloc_init_deleg(oo->oo_owner.so_client, stp, fh, flag); + if (dp == NULL) + goto out_no_deleg; +- status = nfs4_set_delegation(dp, flag); ++ status = nfs4_set_delegation(dp, flag, stp->st_file); + if (status) + goto out_free; + diff --git a/queue-3.10/rt2x00-do-not-align-payload-on-modern-h-w.patch b/queue-3.10/rt2x00-do-not-align-payload-on-modern-h-w.patch new file mode 100644 index 00000000000..b79f98453d7 --- /dev/null +++ b/queue-3.10/rt2x00-do-not-align-payload-on-modern-h-w.patch @@ -0,0 +1,117 @@ +From cfd9167af14eb4ec21517a32911d460083ee3d59 Mon Sep 17 00:00:00 2001 +From: Stanislaw Gruszka +Date: Tue, 11 Nov 2014 14:28:47 +0100 +Subject: rt2x00: do not align payload on modern H/W + +From: Stanislaw Gruszka + +commit cfd9167af14eb4ec21517a32911d460083ee3d59 upstream. + +RT2800 and newer hardware require padding between header and payload if +header length is not multiple of 4. + +For historical reasons we also align payload to to 4 bytes boundary, but +such alignment is not needed on modern H/W. + +Patch fixes skb_under_panic problems reported from time to time: + +https://bugzilla.kernel.org/show_bug.cgi?id=84911 +https://bugzilla.kernel.org/show_bug.cgi?id=72471 +http://marc.info/?l=linux-wireless&m=139108549530402&w=2 +https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1087591 + +Panic happened because we eat 4 bytes of skb headroom on each +(re)transmission when sending frame without the payload and the header +length not being multiple of 4 (i.e. QoS header has 26 bytes). On such +case because paylad_aling=2 is bigger than header_align=0 we increase +header_align by 4 bytes. To prevent that we could change the check to: + + if (payload_length && payload_align > header_align) + header_align += 4; + +but not aligning payload at all is more effective and alignment is not +really needed by H/W (that has been tested on OpenWrt project for few +years now). + +Reported-and-tested-by: Antti S. Lankila +Debugged-by: Antti S. Lankila +Reported-by: Henrik Asp +Originally-From: Helmut Schaa +Signed-off-by: Stanislaw Gruszka +Signed-off-by: John W. Linville +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/rt2x00/rt2x00queue.c | 50 +++++++----------------------- + 1 file changed, 12 insertions(+), 38 deletions(-) + +--- a/drivers/net/wireless/rt2x00/rt2x00queue.c ++++ b/drivers/net/wireless/rt2x00/rt2x00queue.c +@@ -160,55 +160,29 @@ void rt2x00queue_align_frame(struct sk_b + skb_trim(skb, frame_length); + } + +-void rt2x00queue_insert_l2pad(struct sk_buff *skb, unsigned int header_length) ++/* ++ * H/W needs L2 padding between the header and the paylod if header size ++ * is not 4 bytes aligned. ++ */ ++void rt2x00queue_insert_l2pad(struct sk_buff *skb, unsigned int hdr_len) + { +- unsigned int payload_length = skb->len - header_length; +- unsigned int header_align = ALIGN_SIZE(skb, 0); +- unsigned int payload_align = ALIGN_SIZE(skb, header_length); +- unsigned int l2pad = payload_length ? L2PAD_SIZE(header_length) : 0; +- +- /* +- * Adjust the header alignment if the payload needs to be moved more +- * than the header. +- */ +- if (payload_align > header_align) +- header_align += 4; ++ unsigned int l2pad = (skb->len > hdr_len) ? L2PAD_SIZE(hdr_len) : 0; + +- /* There is nothing to do if no alignment is needed */ +- if (!header_align) ++ if (!l2pad) + return; + +- /* Reserve the amount of space needed in front of the frame */ +- skb_push(skb, header_align); +- +- /* +- * Move the header. +- */ +- memmove(skb->data, skb->data + header_align, header_length); +- +- /* Move the payload, if present and if required */ +- if (payload_length && payload_align) +- memmove(skb->data + header_length + l2pad, +- skb->data + header_length + l2pad + payload_align, +- payload_length); +- +- /* Trim the skb to the correct size */ +- skb_trim(skb, header_length + l2pad + payload_length); ++ skb_push(skb, l2pad); ++ memmove(skb->data, skb->data + l2pad, hdr_len); + } + +-void rt2x00queue_remove_l2pad(struct sk_buff *skb, unsigned int header_length) ++void rt2x00queue_remove_l2pad(struct sk_buff *skb, unsigned int hdr_len) + { +- /* +- * L2 padding is only present if the skb contains more than just the +- * IEEE 802.11 header. +- */ +- unsigned int l2pad = (skb->len > header_length) ? +- L2PAD_SIZE(header_length) : 0; ++ unsigned int l2pad = (skb->len > hdr_len) ? L2PAD_SIZE(hdr_len) : 0; + + if (!l2pad) + return; + +- memmove(skb->data + l2pad, skb->data, header_length); ++ memmove(skb->data + l2pad, skb->data, hdr_len); + skb_pull(skb, l2pad); + } + diff --git a/queue-3.10/series b/queue-3.10/series index 2896f9ee7ba..a5529b0a043 100644 --- a/queue-3.10/series +++ b/queue-3.10/series @@ -29,3 +29,15 @@ usb-quirks-add-reset-resume-quirk-for-ms-wireless-laser-mouse-6000.patch usb-xhci-don-t-start-a-halted-endpoint-before-its-new-dequeue-is-set.patch can-esd_usb2-fix-memory-leak-on-disconnect.patch alsa-usb-audio-add-ctrl-message-delay-quirk-for.patch +arm-8216-1-xscale-correct-auxiliary-register-in-suspend-resume.patch +arm-8222-1-mvebu-enable-strex-backoff-delay.patch +input-xpad-use-proper-endpoint-type.patch +srp-target-retry-when-qp-creation-fails-with-enomem.patch +target-don-t-call-tfo-write_pending-if-data_length-0.patch +iser-target-handle-device_removal-event-on-network-portal-listener-correctly.patch +spi-dw-fix-dynamic-speed-change.patch +can-dev-avoid-calling-kfree_skb-from-interrupt-context.patch +rt2x00-do-not-align-payload-on-modern-h-w.patch +nfsd-fix-slot-wake-up-race-in-the-nfsv4.1-callback-code.patch +nfsd4-fix-leak-of-inode-reference-on-delegation-failure.patch +bnx2fc-do-not-add-shared-skbs-to-the-fcoe_rx_list.patch diff --git a/queue-3.10/spi-dw-fix-dynamic-speed-change.patch b/queue-3.10/spi-dw-fix-dynamic-speed-change.patch new file mode 100644 index 00000000000..0586e6c5582 --- /dev/null +++ b/queue-3.10/spi-dw-fix-dynamic-speed-change.patch @@ -0,0 +1,67 @@ +From 0a8727e69778683495058852f783eeda141a754e Mon Sep 17 00:00:00 2001 +From: Thor Thayer +Date: Thu, 6 Nov 2014 13:54:27 -0600 +Subject: spi: dw: Fix dynamic speed change. + +From: Thor Thayer + +commit 0a8727e69778683495058852f783eeda141a754e upstream. + +An IOCTL call that calls spi_setup() and then dw_spi_setup() will +overwrite the persisted last transfer speed. On each transfer, the +SPI speed is compared to the last transfer speed to determine if the +clock divider registers need to be updated (did the speed change?). +This bug was observed with the spidev driver using spi-config to +update the max transfer speed. + +This fix: Don't overwrite the persisted last transaction clock speed +when updating the SPI parameters in dw_spi_setup(). On the next +transaction, the new speed won't match the persisted last speed +and the hardware registers will be updated. +On initialization, the persisted last transaction clock +speed will be 0 but will be updated after the first SPI +transaction. + +Move zeroed clock divider check into clock change test because +chip->clk_div is zero on startup and would cause a divide-by-zero +error. The calculation was wrong as well (can't support odd #). + +Reported-by: Vlastimil Setka +Signed-off-by: Vlastimil Setka +Signed-off-by: Thor Thayer +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/spi/spi-dw.c | 6 +----- + 1 file changed, 1 insertion(+), 5 deletions(-) + +--- a/drivers/spi/spi-dw.c ++++ b/drivers/spi/spi-dw.c +@@ -394,9 +394,6 @@ static void pump_transfers(unsigned long + chip = dws->cur_chip; + spi = message->spi; + +- if (unlikely(!chip->clk_div)) +- chip->clk_div = dws->max_freq / chip->speed_hz; +- + if (message->state == ERROR_STATE) { + message->status = -EIO; + goto early_exit; +@@ -438,7 +435,7 @@ static void pump_transfers(unsigned long + if (transfer->speed_hz) { + speed = chip->speed_hz; + +- if (transfer->speed_hz != speed) { ++ if ((transfer->speed_hz != speed) || (!chip->clk_div)) { + speed = transfer->speed_hz; + if (speed > dws->max_freq) { + printk(KERN_ERR "MRST SPI0: unsupported" +@@ -677,7 +674,6 @@ static int dw_spi_setup(struct spi_devic + dev_err(&spi->dev, "No max speed HZ parameter\n"); + return -EINVAL; + } +- chip->speed_hz = spi->max_speed_hz; + + chip->tmode = 0; /* Tx & Rx */ + /* Default SPI mode is SCPOL = 0, SCPH = 0 */ diff --git a/queue-3.10/srp-target-retry-when-qp-creation-fails-with-enomem.patch b/queue-3.10/srp-target-retry-when-qp-creation-fails-with-enomem.patch new file mode 100644 index 00000000000..59f503f5e8d --- /dev/null +++ b/queue-3.10/srp-target-retry-when-qp-creation-fails-with-enomem.patch @@ -0,0 +1,48 @@ +From ab477c1ff5e0a744c072404bf7db51bfe1f05b6e Mon Sep 17 00:00:00 2001 +From: Bart Van Assche +Date: Sun, 19 Oct 2014 18:05:33 +0300 +Subject: srp-target: Retry when QP creation fails with ENOMEM + +From: Bart Van Assche + +commit ab477c1ff5e0a744c072404bf7db51bfe1f05b6e upstream. + +It is not guaranteed to that srp_sq_size is supported +by the HCA. So if we failed to create the QP with ENOMEM, +try with a smaller srp_sq_size. Keep it up until we hit +MIN_SRPT_SQ_SIZE, then fail the connection. + +Reported-by: Mark Lehrer +Signed-off-by: Bart Van Assche +Signed-off-by: Sagi Grimberg +Signed-off-by: Nicholas Bellinger +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/infiniband/ulp/srpt/ib_srpt.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +--- a/drivers/infiniband/ulp/srpt/ib_srpt.c ++++ b/drivers/infiniband/ulp/srpt/ib_srpt.c +@@ -2101,6 +2101,7 @@ static int srpt_create_ch_ib(struct srpt + if (!qp_init) + goto out; + ++retry: + ch->cq = ib_create_cq(sdev->device, srpt_completion, NULL, ch, + ch->rq_size + srp_sq_size, 0); + if (IS_ERR(ch->cq)) { +@@ -2124,6 +2125,13 @@ static int srpt_create_ch_ib(struct srpt + ch->qp = ib_create_qp(sdev->pd, qp_init); + if (IS_ERR(ch->qp)) { + ret = PTR_ERR(ch->qp); ++ if (ret == -ENOMEM) { ++ srp_sq_size /= 2; ++ if (srp_sq_size >= MIN_SRPT_SQ_SIZE) { ++ ib_destroy_cq(ch->cq); ++ goto retry; ++ } ++ } + printk(KERN_ERR "failed to create_qp ret= %d\n", ret); + goto err_destroy_cq; + } diff --git a/queue-3.10/target-don-t-call-tfo-write_pending-if-data_length-0.patch b/queue-3.10/target-don-t-call-tfo-write_pending-if-data_length-0.patch new file mode 100644 index 00000000000..b1f77b23576 --- /dev/null +++ b/queue-3.10/target-don-t-call-tfo-write_pending-if-data_length-0.patch @@ -0,0 +1,35 @@ +From 885e7b0e181c14e4d0ddd26c688bad2b84c1ada9 Mon Sep 17 00:00:00 2001 +From: Roland Dreier +Date: Tue, 14 Oct 2014 14:16:24 -0700 +Subject: target: Don't call TFO->write_pending if data_length == 0 + +From: Roland Dreier + +commit 885e7b0e181c14e4d0ddd26c688bad2b84c1ada9 upstream. + +If an initiator sends a zero-length command (e.g. TEST UNIT READY) but +sets the transfer direction in the transport layer to indicate a +data-out phase, we still shouldn't try to transfer data. At best it's +a NOP, and depending on the transport, we might crash on an +uninitialized sg list. + +Reported-by: Craig Watson +Signed-off-by: Roland Dreier +Signed-off-by: Nicholas Bellinger +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/target/target_core_transport.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/target/target_core_transport.c ++++ b/drivers/target/target_core_transport.c +@@ -2128,7 +2128,7 @@ transport_generic_new_cmd(struct se_cmd + * and let it call back once the write buffers are ready. + */ + target_add_to_state_list(cmd); +- if (cmd->data_direction != DMA_TO_DEVICE) { ++ if (cmd->data_direction != DMA_TO_DEVICE || cmd->data_length == 0) { + target_execute_cmd(cmd); + return 0; + }